Wednesday, April 30, 2025
HomeCVE/vulnerabilityDNSBomb : A New DoS Attack That Exploits DNS Queries

DNSBomb : A New DoS Attack That Exploits DNS Queries

Published on

SIEM as a Service

Follow Us on Google News

A new practical and powerful Denial of service attack has been discovered that exploits DNS queries and responses.

This new attack has been termed “DNSBomb,” which transforms different security mechanisms employed by DNS, including reliability enhancement, security protection, timeout, query aggregation, and response fast-returning, into powerful attack vectors.

Additionally, the DNSBomb attack exploits other mechanisms, such as the accumulation of low-rate DNS queries, the amplification of queries into large-sized responses, and the articulated all DNS responses into a short, high-volume periodic burst that will overload the targeted system.

- Advertisement - Google News

Further, the researchers also evaluated 10 mainstream DNS software, 46 public DNS services, and over 1.8 Million open DNS resolvers in which all of the DNS resolvers were exploited, which could potentially indicate the DNSBomb attack’s power and practicality.

It was also concluded that any system or mechanism, such as DNS or CDN, can be exploited to construct DoS traffic.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

According to the reports shared with Cyber Security News, there have been more than 11 CVEs assigned for this DNSBomb attack which were associated with 

Further, the tool used by the researcher was XMap Internet Scanner, a fast network scanner designed to sweep internet-wide IPv4 and IPv6 network research scanning.

In addition, the research paper also specified that this DNSBomb attack was more powerful than the previous PDoS attack (Pulsating DoS Attack), a.k.a the Shrew Attack, which was first proposed in 2003 by Kuzmanovic and Knightly. 

However, it is challenging to synchronize the attack traffic from different bots at targeted servers, which reduces the attack’s effectiveness. 

Threat Model

The DNSBomb attack uses worldwide open DNS resolvers to generate short and periodic pulse traffic against the targeted server.

Nevertheless, an attacker must be capable of IP Spoofing. According to July 2023 statistics, 19.7% of IPv4 and 26.7% IPv6 are identified as IP-spoofable.

Threat Model (Source: DNSBomb)

An attacker can purchase a domain in any Domain registration platform and establish a controlled nameserver to initiate DNS queries towards the exploitable resolvers.

These DNS queries can affect any server or IP address of the targeted victims. 

In fact, the threat actor can impersonate any UP as the query’s source address and direct the response to that IP. 

Attack Workflow

The DNSBomb attack workflow uses three main methods: accumulating DNS queries, Amplifying the DNS queries, and Concentrating the DNS responses.

Accumulating the DNS queries uses as many DNS queries as possible at a very low rate on the exploitable resolver. 

Attack Workflow (Source: DNSBomb)

Following this, a small DNS query pack is amplified into a larger response packet via a controlled domain that returns large-sized responses by the resolver’s capability.

After accumulating several queries and amplifying them into larger responses, the responses are held until nearing the timeout of the owned nameserver (attacker-registered domain) for each query.

This is because of the reliability-enhancing DNS mechanism response, which is fast-returning and transmits all the packets as soon as possible.

This mechanism is now utilized to concentrate all the responses from the domain on the targeted server, which results in powerful pulsing DoS traffic.

 DNSBomb Experiment Results (Source: DNSBomb)

Furthermore, a complete report about this new attack technique has been published, which provides detailed information about the attack vector, workflow, prerequisites, techniques, and other aspects.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

TheWizards Deploy ‘Spellbinder Hacking Tool’ for Global Adversary-in-the-Middle Attack

ESET researchers have uncovered sophisticated attack techniques employed by a China-aligned threat actor dubbed...